Releases: flaix/gitblit
1.9.3
Update Note
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
!! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!
There is a security vulnerability in version 1.9.2, which allows an attacker to gain
elevated access rights. This is present when the Config User Service is used as the
user service, which is the default.
Version 1.9.2 introduced a new implementation to store user data in the user config file
which holds user name, password, access rights etc. This was done to solve problems with
very large user bases (PR #1364). This new implementation does not properly escape all
control characters, like newline and tab. As a result, a normal user, when logged into
Gitblit, can edit his profile data and enter values in e.g. the email address that are
interpreted as control characters in the text file stored on disk. This allows the malicious
user to give themselves e.g. elevated access rights on their account.
This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.
Many thanks to Github user @YYHYlh for finding and reporting this issue (issue #1410).
Security
- Fix escaping control characters in config user service, resolving a security vulnerability. (issue gitblit-org#1410)
1.9.2
Update Note
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
Fixes
Fixes
- Fix raw links broken for branches with a forward slash in the name (issue gitblit-org#1290, issue gitblit-org#1234, issue gitblit-org#813)
- Fix markdown links to files in subfolders (issue gitblit-org#1358, PR gitblit-org#1392 by @TomaszSzt)
- Fix high CPU load when saving huge users.conf file (PR gitblit-org#1364 by @Curly060)
- Fix broken encoding in Norwegian language file (issue gitblit-org#834, PR gitblit-org#1379)
- Fix various issues (typos, broken and duplicate keys) in language properties files (PR gitblit-org#1380 by @flaix)
- Fix mirrored HTTP(S) with a user name and password (issue gitblit-org#1059, PR gitblit-org#1381 by @edram)
- Fix relative time display being off on activity page (issue gitblit-org#800, issue gitblit-org#1248, PR gitblit-org#1382)
- Fix URL encoding for links to raw view for files (issue gitblit-org#1375, PR gitblit-org#1383)
- Resolve StackOverflowErrors on page serialization (issue gitblit-org#1011, PR gitblit-org#1141 by @tomaswolf)
- Fix double encoding links in Markdown/Wiki pages (issue gitblit-org#864)
Changes
Changes
- Updated traditional Chinese translation (PR gitblit-org#1367 by @YMNNs)
- Make it possible to call the Windows batch commands on the command line from a different folder (PR gitblit-org#1370 by @Zwixx)
- Updated Japanese translation (PR gitblit-org#1398 by @TakehideMorimoto)
Additions
Additions
- Add service scripts for FreeBSD (PR gitblit-org#1345 by @davehofmann)
- Add Russian translation (PR gitblit-org#1343 by @vhot2076)
1.9.0
Update Note
Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk.
With the update to Lucene 5.5.2 reindexing of the tickets is necessary. This is done automatically during the first server start after an upgrade. Depending on the amount of tickets you have, this could take a little while. The old index is kept, so that a downgrade is still possible without losing information. The old index can be deleted, when a downgrade is no longer required.
The interface for the ITicketService changed. If you have your own derived implementation, rename start
to onStart
. (see commit 63dbdfd)
To support Java 9+, Gitblit can no longer load JARs from the 'ext' folder by itself. In order to include the folder, it needs to be added to the classpath explicitly by changing the command line. Check the new start scripts to see the new required command line.
The 1.9 minor version will be the last to support Java 7. From 1.10 on Gitblit will require Java 8.
When the realm.ldap.bindpattern
property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously.
Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.
Highlights:
* Collapsible and nested repository groups on the repositories page
* Runs on Java 11
* Retrieve SSH keys from LDAP
* User language preference
* Option to merge ticket branches fast-forward or with merge commit
Security
- Change authentication cookie to use random value instead of user information (issue gitblit-org#1063, PR gitblit-org#1116)
- Increase cookie security (PR gitblit-org#1167)
Fixes
Fixes
- Fixed wrong HTML entity (&rt;) in HTML emails (PR gitblit-org#1105)
- Fixed Dutch translation (PR gitblit-org#1130)
- Changed LDAP binding strategies, to correctly find team membership (issue gitblit-org#833, issue gitblit-org#920, PR gitblit-org#247, PR gitblit-org#1149)
- Fixed disabled links in the PagerPanel to really be disabled (PR gitblit-org#1147)
- Set "can admin" permission on LDAP users and teams correctly (PR gitblit-org#1152)
- Fixed user mentions in tickets (issue gitblit-org#985)
- Fixed JEE Servlet 3.0 definition (issue gitblit-org#1132, PR gitblit-org#1178)
- Fixed proxy setup documentation (PR gitblit-org#1183)
- Fixed bug with reverse proxy when using a non-standard HTTPS port (issue gitblit-org#1114, PR gitblit-org#1201)
- Fixed wrapping of last column in tree page (PR gitblit-org#1202)
- Fixed NPE with unsupported transport URL protocol (PR gitblit-org#1238)
- Fixed unit tests by providing zipped local versions of external git repositories used for tests (issue gitblit-org#1275, PR gitblit-org#1309)
- Fixed NPE for symbolic links to repositories (issue gitblit-org#837, issue gitblit-org#891)
- Fixed NPE for ticket milestones without due date (PR gitblit-org#1278)
- Fixed NPE with special characters in repository names (issue gitblit-org#999, PR gitblit-org#1194)
- Fixed NPE when stopping GitBlit
- Fixed exception due to MAC error on SSH connections (issue gitblit-org#1282)
- Fixed link to LDAP sample LDIF file in documentation
- Fixed NPE on unknown git commands. (issue gitblit-org#1092)
- Fixed NPE for URLs to non-existing documents (PR gitblit-org#1324)
Changes
Changes
- Updated traditional Chinese translation (PR gitblit-org#1110)
- Load commit cache in the background to improve start-up time (PR gitblit-org#1140)
- Improved logging when sending emails fails, to assist in analysis (PR gitblit-org#1144)
- Support customized IUserService that can access application settings (PR gitblit-org#1171)
- Added feedback for invalid input on user SSH key form (PR gitblit-org#1239)
- Encode email sender's name with UTF-8 (PR gitblit-org#1206)
- Made Gitblit run on Java 9+ (issue gitblit-org#1262, issue gitblit-org#1294, PR gitblit-org#1266)
- The JRE version is reported upon starting
- Add the
ext
directory to the classpath on the command-line to start Gitblit and related programs. - Report back that git command
clone.bundle
is unsupported instead of simply failing
Additions
Additions
- Added option to merge a ticket branch to the integration branch fast-forward or with a merge commit (PR gitblit-org#1142)
- Added SSH key manager that retrieves keys from LDAP directory (PR gitblit-org#1160)
- Updated Korean translation (PR gitblit-org#1176)
- The list of SSH authentication methods accepted by the server was made configurable (PR gitblit-org#1159)
- User language preference setting (PR gitblit-org#1198)
- Gitblit Authority sends user certificate email based on user preferred language (PR gitblit-org#1198)
- List branches over RPC for a given repository (PR gitblit-org#1192)
- Added Czech translation (PR gitblit-org#1200)
- Added setting to set HTTP idle timeout to prevent timeouts when cloning large repositories over HTTP(S) (PR gitblit-org#1243)
- Made the repository groups on the repositories page collapsible (issue gitblit-org#527, PR gitblit-org#1224)
- Made the repository groups on the repositories page nested (issue gitblit-org#725, PR gitblit-org#1267)
- Added PBKDF2 as password hashing algorithm. Other password storage choices are deprecated (issue gitblit-org#1166, PR gitblit-org#1172)